Restricted Groups

Sadly, at work we operate with pretty much all users as local administrator. Their local administrator rights allows the user to remove domain administrators from the local administrator group breaking our ability to manage the systems. Years ago we set up a login script to add domain admins to the local administrators group if the user was a local administrator. We looked for a way to do this in group policy, but we were always told that it is not possible to append members to a group.
Based on something I had read a while back about this actually being possible, I decided to look into it further. What I found is that the Restricted Groups portion of group policy has a “member of”. I can set domain admins as a restricted group, leave the members portion blank. This does not erase the current members as it did in earlier versions of windows. Then in the “members of” box, I add administrators. This adds the domain admins group to the local administrators on all domain computers.
No muss no fuss.


  1. When you say “previous versions of windows”, Which version DOES this work with. I would like to do the same but it’s not going to be pretty if I blow away a bunch of local admins πŸ™

  2. I tested with xpsp2 and win2ksp4 and was fine. I didn’t find articles that would specify exactly when this came about.
    Sorry, I dont know the exact answer. Make sure you test well. πŸ™‚

Comments are closed.